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Abstract 

From the motivation of algebraic attacks to stream and block ciphers([l,2,7,13,14,15]), the 
concept of algebraic immunity (AI) of a Boolean function was introduced in [21] and studied in 
[3,5,10,11,17,18,19,20,21]. High algebraic immunity is a necessary condition for resisting alge- 
braic attacks. In this paper, we give some lower bounds on the algebraic immunity of Boolean 
functions. The results are applied to give lower bounds on the AI of symmetric Boolean func- 
tions and rotation symmetric Boolean functions. Some balanced rotation symmetric Boolean 
functions with their AI near the maximum possible value \^~\ are constructed. 

Index Terms — Algebraic attack, Boolean function, algebraic immunity, symmetric Boolean 
function, rotation symmetric Boolean function 

I. Introduction and Preliminaries 

A Boolean function of n variable is a mapping / : F2 F2, where F2 is the field of two elements. 
The weight of a Boolean function wt{f) = \Si{f)\, where Si{f) = {{xi, Xn) ■ /(xi, x„) = 1} 
and ] * ] is the cardinality of the set. Any Boolean function has its algebraic normal form (ANF) 

fi^lj Xn) — CLQ ~\~ ^ii<...<itO'ii,...,it-^ii ' ' ' 

, where ao, ajj_,..^ij, G F2. The (algebraic) degree of / is the number of variables in the highest 
order term in the above ANF. The Boolean function of degree 1 is called afhne form. Given a 
Boolean function / of n variables, a n variable Boolean function g is called its annihilator function 
if gf = 0, or equivalently, g is zero at all points of Si{f). A Boolean function is called balanced 
if the number of points in Si{f), wt{f) = 2"~^. The distance of two Boolean functions / and g is 
dif,g) = \Si{f — h)\. The nonlinearity of a Boolean function F is defined as A''L(/) = mini{d{f,l)} 
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where I takes over all possible affine forms (see [9]). 

Boolean functions are widely used in block and stream ciphers, f.g., in S-boxes, combination 
generators and filter generators. It is known that Boolean functions used in the practice of cryp- 
tography have to satisfy some criteria, f.g., their degrees and nonlinearities etc have to be high (see 
[9]). Algebraic attack was proposed recently to block and stream ciphers (see [1], [2], [7], [13], [14], [15]). 
Because of some successful algebraic attacks to several keystream generators, now it is interested 
to understand the algebraic immunity AI{f) of a Boolean function /, which was introduced in 
[21]. General properties about algebraic imniTinity of Boolean functions have been studied in 
[3], [10], [11], [17], [19], [20], [21]. High algebraic immunity is a necessary condition (but not sufficient) 
for resisting algebraic attacks. It was proved that the AI of a n variable Boolean function is less than 
or equal to [|] (see [21]) . Recently several algorithms for the computation for AI of Boolean func- 
tions were given in[4]. If the AI{ f) of a Boolean function / is relatively small, the algorithms can be 
used to determine the AI{f) efficiently. However it is also known that there are Boolean functions 
of n variables with their AI equal to the maximal possible value [^] (see [5], [10], [12], [18]). Thus 
it is interesting to know more Boolean functions with their AI equal to or near the upper bound [^] . 

A Boolean function is called symmetric if its value is determined by the weight of its input 
vector. Symmetric Boolean functions have been studied by many authors(see [8] and references 
there) from the motivation of block and stream ciphers. In software and hardware implementation 
the symmetric Boolean functions are efficient. Thus it is interested to know the properties of AI of 
symmetric Boolean functions. In [5], the algebraic immunity of symmetric Boolean functions was 
thoroughly studied. The AI of elementary symmetric Boolean functions was explicitly determined 
and some symmetric functions of maximum possible AI have been constructed. Rotation symmet- 
ric Boolean functions (RSBF) were introduced and studied in [22] for the purpose of fast hashing. 
A Boolean function / on F2 is called rotation symmetric if /(xi, X2, a:„) = f{x 
for any (xi, X2, a;„) G The experimental studies of the algebraic immunity of RSBF was 
initiated in [17]. Prom the motivation of the possible use of symmetric and rotation symmetric 
Boolean functions in cryptography , we are interested to have lower bounds on the algebraic immu- 
nity of these functions and the construction of these functions with relative high algebraic immunity. 

We recall some basic facts about the algebraic immunity of a n variable Boolean function( see 
[21],[10],[19],[3]). 

Definition. Let f be a Boolean function on F2 , its algebraic immunity AI{f) is defined to 
be the smallest number k, such that, there exists one Boolean function g of degree k which is the 
annihilator function of f or 1 + f. 

Theorem 1 (see [10], [21], [17]). Let f be a n variable Boolean function. Then 1) AI{f) < 
[§]; 2) NL{f) > 2S;iy^"^C;_i, where Cl is the binomial coefficient; 3) If AI{f) > d then 

^uci, < wt{f) < sr=J'+')c;. 

Theorem 2(see [3]). Let f be a Boolean function of n variables. Suppose wt{f) >2'^ — 2"'~'^. 
Then any annihilator of f has its algebraic degree at least d. 
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We note that Theorem 2 can not be appUed directly to balanced Boolean functions when lower 
bounding the AI of Boolean functions. As far as our knowledge, there are quite few explicitly given 
Boolean functions with the maximal possible AI and people do not know much about how to lower 
bound the algebraic immunity of Boolean functions (see [10], [12], [17], [18]). In this paper we apply 
Theorem 2 to the restrictions of Boolean functions on some affine subspaccs of F^* . Thus we present 
a method to obtain some lower bounds on the algebraic immunity of Boolean functions. In this 
case, it is possible that the restrictions of the annihilator functions on the affine subspaces are zero. 
However if the affine subspaces are taken sufficiently many, this consideration leads to some useful 
results on the lower bound for the AI of Boolean functions. 

II. Main Result 

The following Theorem 3 is the main result of this paper. 

Theorem 3. If f is a Boolean function on F2 and Li (respectively L2) is an affine subspaces 
with dimension t (respectively s), such that , > 2* — 2*"*^ (respectively S'i((1 + /)|l2)| > 

1) either the annihilator functions of f with minimum possible degree (respectively the annihilator 
functions 0/ 1 + / with minimum possible degree ) have their degree at least d or; 

2) the annihilator functions of f with minimum possible degree (respectively the annihilator func- 
tions 0/ 1 + / with minimum possible degree) are zero on L\ (respectively on L2). 

When Theorem 3 is applied to the balanced Boolean functions and codimension 1 affine sub- 
space we have the following simple conclusion. The proof of Corollary 1 is a direct application of 
Theorem 3. 

Corollary 1. Let f be a balanced Boolean function on F2 and I is an affine form on ¥2- 
Suppose d(f, > 2" - 2"-'^. Then we have, 

1 ) either the algebraic immunity AI{f) is at least d or; 

2) the annihilator functions of f with the minimum possible degree or the annihilator functions of 
1 + / with the minimum possible degree contain I as a factor. 

In section III we can use Theorem 3 to give lower bounds on the algebraic immunity of some 
symmetric and rotation symmetric Boolean functions by using sufficiently many affine subspaces. 

We also have the following result about the Hamming weight of the restrictions of Boolean 
functions on affine subspaces. 

Corollary 2. Let f be a Boolean function on F2 with AI{f) = d + 1 and L be a affine 
subspace of F2 with codimension r. Then the Hamming weight of f restricted on L satisfies 

When Corollary 2 applied to symmetric Boolean functions we have the following result. 
Corollary 3. Let f be a n variable symmetric Boolean function. Then f can not have the 
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maximal possible algebraic immunity [^] in the following two cases. 

1) When n is odd and wt{x) > [^J , /(x) is 1 only when wt{x) is odd (or only when wt{x) is 
even), f{x) can be arbitrary for wt{x) < [^J. 

2) When n is even and wt{x) > § — 1, f{x) is 1 only when wt{x) is odd (or only when wt{x) is 
even), f{x) can he arbitrary for wt{x) < § — 1. 

By computing d{f, I), where I is the affine form xi + ... + or xi + ... + x^ + 1, and applying 
Corollary 2, we have the conclusion of Corollary 3 immediately. 

Proof of Theorem 3. Let g be an annihilator function of /, that is gf = 0. We have 
{g\Li)if\Li) = 0. From Theorem 2 g\]^-^ has its algebraic degree at least d if it is not a zero func- 
tion. The conclusion is proved. 

Proof of Corollary 2. Let ^i,. be r linearly independent affine forms such that L is 
defined hy li = ... = Ir = 0. Considering the Boolean function f\]^ as a Boolean function of n — r 
variables, if its algebraic immunity is smaller d — r, we have a Boolean function g' oi n — r variables 
with algebraic degree at most d — r such that g'ifli) = or ^'((l + /)|l) = 0. Thus the Boolean 
function g = (/i + 1) • • • (/^ + ^)g' can be think as a Boolean function of n variables of algebraic 
degree at most d. We have gf = oi g{l + /) = 0. This is a contradiction. Therefore the algebraic 
immunity of /|l is at least d — r + 1, we have the conclusion of 1) from the Theorem L 

III. Lower Bound for AI of Symmetric and Rotation Symmetric Boolean Functions 

In this section we use the main result to prove some lower bounds on the algebraic immunity 
of symmetric and rotation symmetric Boolean functions. 

A. Symmetric Boolean Functions 

Corollary 4. Let f be a n variable symmetric Boolean function with simplified value vector 
v{f) = {vo{f), ...,Vi{f), ...,Vn{f)), i.e., f{x) = Vi{f) when wt{x) = i. Set 

U = min{S^^(j)=i^i<p„/2] C'[„/2] > ^t;i(/)=o,i>Ln/2jC'f„/2/^^ } 
Suppose U > 2r"/2l - 2K2l-rf. Then AI{f) >d+l. 

Proof. Let ii,...,iyn^ be arbitrary [|J indices, be the dimension [^] subspace of F2 de- 
fined by Xi^ = ... = Xj^„j = 6, where 6 = or 6 = 1. If the condition of Corollary 4 is satisfied, 

S'i(/|l„) > 2^^/21 _ 2r^^/2l-'^ and S'i((l + /)|lJ > 2^^/21 - 2r«/2l-d. prom Theorem 3, either 
AI[f) > d OT the annihilator functions of / or 1 + / with minimum possible degree are zero on 
Lq and Li . This implies that the monomials in the algebraic normal forms / (and 1 + /) have to 
contain at least variables. In the later case AI{f) = [^]. The conclusion is proved. 

Example 1. Let / be a 15 variable symmetric Boolean function / = cT2+C4+C6+'''io+f''i2+o'i4- 
Then we have its simplified value vector Vf = (0, 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1). Then U = 246 > 
240 and AI{f) > 5 
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Example 2. Let / be a n variable symmetric Boolean function, / = {1, [-^Jj^ — i} — {i} 
where i < [^J , J = { \^~\ , ...,n,i} — {n — i}. The symmetric Boolean function is defined as follows. 

/(x) = l,wt{x) G / 
fix) = 0, wt{x) G J 

Let t be the smallest positive integer such that C^^n.-^ + 1 < 2*. It is clear t < ilog2n — i. We have 

U > 2^2~\ —2* and AI{f) > \^~\ —t + 1. It is obvious that t is asymptotically less than ilog2n. These 
Boolean functions have their algebraic immunities asymptotically larger than n/2 — ilog2n + i — 1. 

It is observed from Corollary 4 and Example 2, for a symmetric Boolean function / with the 
property that most vectors in <S'i(/) have their weight less than [^] and most vectors in 5*0 (/) 
have their weight larger than [^], its AI is relatively high. This suggests that these symmetric 
Boolean functions can be possibly used in stream ciphers, if they satisfy other cryptographic criteria. 

B. Rotation Symmetric Boolean Functions 

In this subsection we use Theorem 3 to give lower bound for the algebraic immunity of RSBFs. 
Example 3. Let / be a rotation symmetric Boolean function of 6 variable 

/ = X1X2X3 + X2X^X4 + X3X4^X5 + X^Xr^XQ + X^XqXi + XqXiX2 
+X1X4 + X2X5 + X3X6 + XiXsX^ + X2X4XQ + 
X1X2X3X4 + X2XSX4X5 + X3X4X6X1 + 
X1X2X3X4X5 + X2XSX4X5XQ + X2X4X5XQX1 + X4X5X6X1X2 + X5XQX1X2XS + XQX1X2X3X4 

This is a balanced Boolean function with nonlinearity 24 and A(/) = 40, which satisfies PC (2) 
criteria (see [24]). 

We consider two affine subspaces Li (respectively L2) in Fl defined by xi = X2 = xs = 
0(respectively xi = 1,X2 = xs = 0). It is easy to check that -S'i((l + has 7 points (in Li) 

and Si{f\L2) has 5 points( in L2). Thus the annihilator functions of 1 + / (respectively, /) have 
degree at least 2 or are zero on Li (respectively L2). In the later case, the annihilator functions of 
1 + / (respectively, /) are zero on any rotation transformation of Li (respectively, L2). From this 
observation, we have AI{f) > 2. 

Example 4. It is clear that each orbit in F2 under the circular action p{xi, X2, Xn) = 
{xn,xi, ...,Xn-i) contains h elements, where /i is a factor of n. On the other hand the orbit of a 
weight i vector in F2 under the action of all permutations contains elements, which is the union 
of orbits of circular actions. 

From [5] and [8] we know the following Balanced symmetric Boolean function f oin {n is odd) 
variables has the maximal possible AI [^]. 
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f{x) = i,wt{x)< ni 
f{x) = o,wtix)> ni 

When n is even, the value b in the following definition can be suitably chosen such that it is bal- 
anced (in this case the function is not symmetric, however it can be rotation symmetric if b is chosen 
to be the same on the orbits of circular actions). 

f{x) = l,wt{x) < § 
f{x) = 0, wt{x) < f 
f{x) = beF2,wt{x) = ^ 

If we exchange some orbits under circular actions in the two sets 5*0 (/) and Si{f), we get some 
rotation symmetric Boolean functions and the lower bound on their AI can be proved by applying 
Theorem 3. Let H c 5*0 (/) and H' c Si{f) be two subsets with the same cardinality , which are 
the union of orbits under circular actions. Set X = So{f) [JH' - H,X' = Si{f) \JH -H'. Let /' 
be the Boolean function with So{f') = X,Si{f') = X'. This is a balanced Boolean function. We 
have the following result. 

Corollary 5. AI{f') > [§1 - [log2\H\]. 

When n goes to infinity, we have constructed some balanced rotation symmetric Boolean func- 
tions with their algebraic immunity asymptotically equal to [^] — log2n if \H\ = \H'\ = n (f.g., H 
and H' consist of one orbit). 

Proof. Let be arbitrary [^J distinct indices, -L5 be the dimension [^] subspacc of 

F2 defined by Xi-^ = ... = xi^^^ = ^, where 6 = or 6 = 1. We have Si{f') D Si{f) — H' and 

5i(/'|lo) > 2r"/2l - 2^^, where d = \l0g2\H\']. Similarly we have 5i(l + /') D + f) - H and 
Si({l + /')|li) > 2^^/21 - 2<^. Prom Theorem 3, either AI{f) > [§] - \l0g2\H\] or the annihilator 
functions of /' or 1 + /' arc zero on Lq and Li. This implies that the monomials in the algebraic 
normal forms /' and 1 + /' have to contain at least [§] variables. In the later case AI{f) = [|]. 
The conclusion is proved. 

IV. Conclusion 

We presented a method to obtain some lower bounds on the algebraic immunity for Boolean 
functions. When the results are applied to symmetric or rotation symmetric Boolean functions, 
some lower bounds on the algebraic immunity can be proved for these Boolean functions. Some 
rotation symmetric Boolean functions with their AI near the maximal possible value \^~\ are con- 
structed. Our method suggested some symmetric and rotation symmetric Boolean functions of 
large number of variables with high algebraic immunity. Thus they can be possibly used in stream 
ciphers if these Boolean functions satisfy other cryptographic criteria. 

Acknowledgement. The work of the 1st author's was supported in part by NNSF of China 
under Grant 90607005 and Distinguish Young Scholar Grant 10225106. 
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